incorporate Workers example

Author: ranbel

src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp.mdx

@@ -8,40 +8,149 @@ sidebar:
 
 import { Render, GlossaryTooltip } from "~/components"
 
-You can secure <GlossaryTooltip term="MCP server">Model Context Protocol (MCP) servers</GlossaryTooltip> by using Cloudflare Access as the Single Sign-On (SSO) provider. When users connect to the remote MCP server using an <GlossaryTooltip term="MCP client">MCP client</GlossaryTooltip>, they will be prompted to log in to your [identity provider](/cloudflare-one/identity/idp-integration/) and are only granted access if they pass your [Access policies](/cloudflare-one/policies/access/#selectors).
+You can secure <GlossaryTooltip term="MCP server">Model Context Protocol (MCP) servers</GlossaryTooltip> by using Cloudflare Access as an OAuth Single Sign-On (SSO) provider.
+
+This guide walks through how to deploy a remote MCP server on [Cloudflare Workers](/workers/) that requires Cloudflare Access for authentication. When users connect to the MCP server using an <GlossaryTooltip term="MCP client">MCP client</GlossaryTooltip>, they will be prompted to log in to your [identity provider](/cloudflare-one/identity/idp-integration/) and are only granted access if they pass your [Access policies](/cloudflare-one/policies/access/#selectors).
 
 ## Prerequisites
 
-- An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust
+- Add an [identity provider](/cloudflare-one/identity/idp-integration/) to Cloudflare Zero Trust
+- Install [npm](https://docs.npmjs.com/getting-started)
+- Install [Node.js](https://nodejs.org/en/)
+
+## 1. Deploy an example MCP server
+
+To deploy our [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) on Workers:
+
+1. Open a terminal and clone our example project:
+
+		```sh
+		npm create cloudflare@latest -- mcp-server-cf-access --template=cloudflare/ai/demos/remote-mcp-cf-access
+		```
+
+		When asked if you want to deploy to Cloudflare, select **No**.
+
+2. Go to the project directory:
+
+	```sh
+	cd mcp-server-cf-access
+	```
+
+3. Create a [Workers KV namespace](/kv/concepts/kv-namespaces/) to store the key. The binding name should be `OAUTH_KV` if you want to run the example as written.
+
+   ```sh
+   npx wrangler kv namespace create "OAUTH_KV"
+   ```
+
+		The command will output the binding name and KV namespace ID:
+
+		```sh output
+		{
+			"kv_namespaces": [
+				{
+					"binding": "OAUTH_KV",
+					"id": "<YOUR_KV_NAMESPACE_ID>"
+				}
+			]
+		}
+		```
+
+4. Open `wrangler.jsonc` in an editor and insert your `OAUTH_KV` namespace ID:
+
+	```jsonc
+	"kv_namespaces": [
+		{
+			"binding": "OAUTH_KV",
+			"id": "<YOUR_KV_NAMESPACE_ID>"
+		}
+	],
+	```
+
+
+5. You can now deploy the Worker to Cloudflare's global network:
+
+   ```sh
+   npx wrangler deploy
+   ```
 
-## 1. Create an Access for SaaS app
+The Worker will be deployed to your `*.workers.dev` subdomain at `mcp-server-cf-access.<YOUR_SUBDOMAIN>.workers.dev`.
+
+## 2. Create an Access for SaaS app
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 2. Select **SaaS**.
 3. In **Application**, enter a custom name (for example, `MCP server`) and select the textbox that appears below.
 4. Select **OIDC** as the authentication protocol.
 5. Select **Add application**.
-6. In **Redirect URLs**, enter the authorization callback URL for your MCP server (for example, `https://<SERVER-NAME>.<SUBDOMAIN>.workers.dev/callback`). Refer to your MCP server documentation for instructions on obtaining this value.
-7. Copy the following values to input into your MCP server's OAuth configuration. Different MCP servers may require different sets of input values.
-   - **Client secret**
-	 - **Client ID**
-	 - **Configuration endpoint**
-	 - **Issuer**
-   - **Token endpoint**
-   - **Authorization endpoint**
-	 - **Key endpoint**
-   - **Userinfo endpoint**
-8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/#advanced-settings) to reduce the number of times a user needs to log in to the identity provider.
-9. Configure [Access policies](/cloudflare-one/policies/access/) to define the users can access the MCP server.
+6. In **Redirect URLs**, enter the authorization callback URL for your MCP server. The callback URL for our [example MCP server](#1-deploy-an-example-mcp-server) is
+	 	```txt
+		https://mcp-server-cf-access.<YOUR_SUBDOMAIN>.workers.dev/callback
+		```
+7. Copy the following values to input into our example MCP server. Other MCP servers may require different sets of input values.
+	- **Client secret**
+	- **Client ID**
+	- **Token endpoint**
+	- **Authorization endpoint**
+	- **Key endpoint**
+
+8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider.
+9. Configure [Access policies](/cloudflare-one/policies/access/) to define the users who can access the MCP server.
 10. Save the application.
 
-This SaaS application now acts as the SSO provider for your MCP server.
+## 3. Configure your MCP server
+
+Your MCP server needs to perform an OAuth 2.0 authorization flow to get an `access_token` from the SaaS app created in [Step 1](#1-create-an-access-for-saas-app). When setting up the OAuth client on your MCP server, you will need to paste in the OAuth endpoints and credentials from the SaaS app.
+
+To add OAuth endpoints and credentials to our [example MCP server](#1-deploy-an-example-mcp-server):
+
+1. Create the following [Workers secrets](/workers/configuration/secrets/):
+
+	```sh
+	wrangler secret put ACCESS_CLIENT_ID
+	wrangler secret put ACCESS_CLIENT_SECRET
+	wrangler secret put ACCESS_TOKEN_URL
+	wrangler secret put ACCESS_AUTHORIZATION_URL
+	wrangler secret put ACCESS_JWKS_URL
+	```
+
+2. When prompted to enter a secret value, paste the corresponding values from your SaaS app:
+
+	| Workers secret | SaaS app field |
+	| -------------  | -------------- |
+	| `ACCESS_CLIENT_ID`| Client ID |
+	| `ACCESS_CLIENT_SECRET` | Client secret |
+	| `ACCESS_TOKEN_URL` | Token endpoint |
+	| `ACCESS_AUTHORIZATION_URL` | Authorization endpoint |
+	| `ACCESS_JWKS_URL` | Key endpoint |
+
+3. Configure a cookie encryption key:
+
+		a. Generate a random string:
+
+			```sh
+			openssl rand -hex 32
+			```
+
+		b. Store the string in a Workers secret:
+
+			```sh
+			wrangler secret put COOKIE_ENCRYPTION_KEY
+			```
+
+## 4. Test the connection
+
+You should now be able to connect to your MCP server running at `https://mcp-server-cf-access.<YOUR_SUBDOMAIN>.workers.dev/sse` using [Workers AI Playground](https://playground.ai.cloudflare.com/), [MCP inspector](https://github.com/modelcontextprotocol/inspector), or [other MCP clients](/agents/guides/remote-mcp-server/#connect-your-mcp-server-to-claude-and-other-mcp-clients) that support remote MCP servers.
+
+To test in Workers AI Playground:
+
+1. Go to [Workers AI Playground](https://playground.ai.cloudflare.com/).
 
-## 2. Configure your MCP server
+2. Under **MCP Servers**, enter `https://mcp-server-cf-access.<YOUR_SUBDOMAIN>.workers.dev/sse`  for the MCP server URL.
 
-Configure the OAuth client on your MCP server to use the OAuth endpoints and credentials from the SaaS app created in [Step 1](#1-create-an-access-for-saas-app). The MCP server should successfully obtain an `access_token` after the user authenticates to Access.
+3. Select **Connect**.
 
-For a practical example of how to configure the OAuth client, refer to [Deploy an example MCP server](#deploy-an-example-mcp-server).
+4. A popup window will appear requesting access to the MCP server. Select **Approve**.
 
-## Deploy an example MCP server
+5. Follow the prompts to log in to your identity provider.
 
+Workers AI Playground will show a **Connected** status. The MCP server should successfully obtain an `access_token` from Cloudflare Access.